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O . Abstract 

"^ I M. Brin and P. Dehornoy independently discovered a braided ver- 

^ ' sion BV of R. Thompson's group V. In this paper, we discuss some 

Ch . properties of BV that might make the group interesting for group 

I based cryptography. In particular, we show that BV does not admit 

^—^ • a non-trivial linear representation. 

O ■ 1 Introduction 

p; 

t^^ I One of the ways to visualize elements of R. Thompson's group F is to regard 

QQ ' them as pairs of trees [9] . The trees forming such a pair, called the top tree 

O ■ and the bottom tree, are finite binary trees with the same number of leaves. 

>• . We follow [3] in drawing the top tree with the root at the top and the bottom 

k> i tree with the root at its bottom aligning their leaves to match. An element 

Jj I of Thompson's group V can be understood in a similar way: we still have a 

pair of trees, but now we wedge a permutation in between that decides which 
leaves are considered matching. 

The braided version BV of Thompson's group V was introduced inde- 
pendently by Brin in [6], [7] and Dehornoy in [11] and has been investigated 
further by several authors [5], [8]. Informally speaking, one obtains an el- 
ement of the braided Thompson's group BV by using a braid instead of a 
permutation to connect the leaves of the top tree to the leaves of the bottom 
tree. In Section 3, we discuss complexity issues of computations in BV. In 



c^ 



particular, we show that muhiphcation of two elements of BV given in tree- 
braid-tree form can be carried out in quadratic time on the input length. In 
Section 4, we analyze Brin's presentation of BV to prove the following: 

Theorem. The group BV does not admit non-trivial linear representations 
in any characteristic. 

We note that relatives oi BV, namely braid groups and Thompson's group 
F, received some attention recently from a cryptographic point of view. Sec- 
tion 5 reflects on the possibility of using the group BV as a platform group 
in cryptographic protocols. 



2 The Group BV and its Braided Band Di- 
agrams 

Recall that elements of Thompson's group F can be represented by 
band diagrams. A band diagram encodes splitting and merging of a band 
keeping track of the relative order of splits and merges. Pictorially, one can 
think of band diagrams as thickened tree diagrams. The following picture 
shows band diagrams for the canonical generators Xq and Xi: 
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Two band diagrams are equivalent if one can pass from one to the other by 
means of a finite sequence of moves, where each move applies (forward or 



backward) one of the following relations: 




(first move: eye removal) 



(second move: joint removal) 



A band diagram is called reduced if neither of the above relations can be 
applied forward. It is well known that every band diagram can be reduced 
by a finite sequence of forward applications of the relations and that every 
equivalence class of band diagrams has a unique reduced representative. 

Elements of Thompson's group F correspond to equivalence classes of 
band diagrams. Multiplication of elements of F translates into stacking band 
diagrams. 

Allowing bands to braid, one arrives at the notion of 
braided band diagrams. Those represent elements of the group BV . 
Note that bands are allowed to braid, but they are not allowed to twist, i.e., 
a twisted band segment like 



is not allowed in a braided band diagram. 

Also note that we do not distinguish diagrams that just differ in the way 
the braiding is drawn (i.e., the diagrams themselves are supposed to live in 
3-space and are regarded equal if they differ by an ambient homotopy not 
twisting bands). E.g., the following two pictures describe the same diagram: 




Again, two diagrams are equivalent if there is a finite sequence of moves 
transforming one into the other; and we call a diagram reduced if it does not 
allow for a forward application of a relation. 

M. Brin [7, Theorem 2] has shown that BV is generated by the following 
elements: 




V 



7^0 
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Proposition 1. Every equivalence class of braided band diagrams contains 
a unique reduced representative, and this representative can be obtained from 
any diagram in the equivalence class via a finite sequence of forward moves. 

Proof. Let A and be two braided band diagrams. We write A ^ if 
there is a forward move from A to 0. Since forward moves decrease the 
number of band-segments in a diagram, it follows that "— ;►" is a noetherian 
relation, i.e., there are no infinite —i> -chains. 

By Newman's Lemma (a standard result on rewriting systems; see, 
e.g., [2, Corollary 4.76]), it suffices to show that the ^-relation is 
locally confluent, i.e., given a diagram A and two forward moves A — i> 0i 
and A -^ 02, there exists a diagram A that can be obtained by forward move 
sequences from both 0i and 02. 

The local confluence condition, however, is easily verified in our setting: 

1. Any two forward moves removing eyes (joints) can be performed in any 
order since the two eyes (joints) do not interfere with each other. 

2. Given two forward moves of different type, either they can be performed 
in any order, or they lead to equal diagrams (possibly after a suitable 
ambient homotopy). The latter happens when an eye meets a joint 
(removing either of them yields a tripod). 



In the following example, we either delete the top-eye or the following 
joint and obtain identical diagrams (i.e., diagrams that are equal after 
a suitable ambient homotopy): 



US K K 



q.e.d. 



Remark 2. Note that, as a corollary, we recover the result of M. Brin [7, 
Lemma 4.3] that BV contains a copy of F realized as the set of reduced 
diagrams that do not exhibit braiding. 

3 Complexity of the Word Problem 

We want to devise an efficient method for computing products in BV . To do 
so, we have to establish a canonical method of representing elements of BV 
in a way suitable for computations. Braided band diagrams will serve as our 
starting point. 

Let us call a diagram semi-reduced if it does not admit joint-removal 
moves. Obviously, every reduced diagram is semi-reduced. Moreover, ev- 
ery semi-reduced diagram can be transformed into a reduced diagram via a 
(finite) sequence of eye-removal moves. 

Observation 3. A diagram A is semi-reduced if and only if, along each 
route from top to bottom in A, we never find a merge of bands followed by a 
split of the band. q.e.d. 

Observation 4. Consider a semi-reduced braided band diagram A. We can 
isotop the diagram so that all the splits precede any braiding and all the 



merges occur after all the braiding is done: 





Thus, a semi-reduced diagram always decomposes into three layers: the top- 
part that is a root- at-the-top tree where all the splits of the hand occur; the 
middle part consisting of a braid of bands; the bottom part which is a root- 
at-the-bottom tree where the bands are merged back into a single ribbon. 

Consequently, every element of BV can be represented by a triple 
(T*°p,/3, T^°') , consisting of two planar trees T*°p and T^°* and a braid f3 
interpolating between the leaves of the trees. q.e.d. 

Observation 5. Conversely, given a triple (T*°p,/3,T^°*) as above, we can 
form a braided band diagram by stacking the top tree on the top of the braid 
and appending an upside-down drawing of the bottom tree. Within such a 
diagram, along each ribbon we find no merge followed by a split, i.e., the 
diagram is semi-reduced. q.e.d. 

We shall now discuss how to detect removable eyes. Let the triple 
(T*°p,/9, T^°') represent a semi-reduced diagram. Assuming that the braid 
(3 is an element of the braid group -B„, where n is the number of leaves of 
either tree, let 

TTj : Bn > Bn^l 

be the map defined by deleting the i*'^ strand (strands are indexed at the top 
of the braid) ; and let 

be the map defined by doubling the i^^ strand (i.e., splitting that strand into 
two all the way from the top to the bottom of the braid). 

Observation 6. Let j3 G Bn be a braid. The i*'^ and {i + 1)** strands are 
parallel, i.e., can be united into a single strand without otherwise disrupting 
the braid j3, if and only if Li{7ri{(3)) = j3. q.e.d. 
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Observation 7. A semi-reduced diagram represented as a triple 
(T*°p, /9, T^°') can be further reduced if and only if there is a pair of 
parallel strands in [3 that connects a terminal caret in T*°p to a terminal 
caret in T^°^ . Here, a terminal caret in T*°p is a split of a band such 
that along both resulting bands there are no further splits. Symmetrically, 
a terminal caret in T^°^ is a merge of two bands both of which had not 
previously been involved in merges. q.e.d. 

We can use this to reduce diagrams algoritlimically. 

Algorithm 8. A triple (T^*°'',/3i,T]^°') can be reduced by applying a se- 
quence of eye-removal moves according to Observation 7. The process can 
be organized as follows: 

1. Find the left-most terminal caret of the top tree. 

2. Check whether the strands issuing from this caret are parallel. If so, 
check whether they lead to a terminal caret in the bottom tree. If so, 
remove the eye and check if there is a terminal caret in the current 
position (in the top tree). Repeat this step, if there is one. 

3. Move to the right and repeat the previous step on the next terminal 
caret in the top tree. 

4. Repeat until all terminal carets of the top tree have been visited. 

In this algorithm, we can proceed from the left to the right since an eye- 
removal cannot create terminal carets in the top tree to the left of the caret 
that is being removed. 

Checking whether two triples represent the same group element in BV can 
be performed according to the following: 

Algorithm 9. Given two triples (T*°p,/3i,T|^°*) and {T^"^, P2,T^°^) , per- 
form a sequence of eye-removal moves on either of them until both cannot be 
further reduced. The triples thus obtained represent the same group element 
if and only if they have the same top and bottom trees and the braids are 
equal as elements of the corresponding braid group. 

Multiplication also has a natural interpretation in terms of diagrams: 



Observation 10. // two elements gi and g2 are represented by triples 
(T*°P,/3i,Ti^°*) and {T^""^, (32,T^°') where T^""^ = T^°\ then the triple 
(T*°'',/9i/52,T^°') represents the product gig2. q.e.d. 

Consequently, multiplication in BV can be carried out using the following: 

Algorithm 11. Given two elements (71, (72 G BV^ represented by semi- 
reduced triples (T^*°'',/5i,T]^°') and (T2°'',/92,T|'°*) , compute a semi-reduced 
triple for the product gig2 as follows: first unreduce both factors so that the 
bottom tree of the left-hand factor matches the top tree of the right-hand 
factor; then form a triple for the product using Observation 10. Note that 
the resulting triple is automatically semi-reduced. 

So far, we have ignored complexity issues and we have taken operations 
on braids and trees for granted. Since braid operations dominate the time 
complexity of all algorithms, we will not discuss the complexity of operations 
on trees. 

To meaningfully discuss the time complexity of the algorithms above, we 
need to settle on a representation of the braid component of a triple. The 
braid is an element of the braid group -B„ where the number n of strands is 
determined by the tree components of the triple. A natural way to represent 
elements of -B„ is as words over some fixed generating set. We will be using 
the set of non-repeating braids (also called the Garside generators). For this 
set of generators, W. Thurston has given a solution to the word problem in 
braid groups [13, Chapter 9]. 

Recall that a braid /9 G -B„ is positive if it can be drawn so that all 
crossings are overcrossings (the down-right strand goes over the down-left 
strand). A positive braid is called non-repeating if any pair of strands crosses 
at most once. By [13, Lemma 9.1.10], non-repeating braids of -B„ are uniquely 
determined by the permutation they induce; and for each permutation, there 
is a non-repeating braid. Thus, non-repeating braids form a generating set 
for Bn whose elements can be represented by permutations on n letters. 

The following observation makes the set of non-repeating braids conve- 
nient for our purposes: 

Observation 12. Neither doubling a strand nor deleting a strand creates 
undercrossings out of nowhere. Also, both operations do not increase the 
number of crossings of any given pair of strands. Thus, if {3 is a non-repeating 
braid, then so are Tii{(3) and Li{(3) for any i. 



It follows that the operations of deleting and doubling strands do not in- 
crease the word length with respect to the generating set of non-repeating 
braids. 

We also note that non-repeating braids can be manipulated efficiently: 
the operations of doubling a strand or deleting a strand in a generator are 
linear in the length of the input and, therefore, take time O (nlog(n)) in the 
case of a non-repeating braid of -B„- 

For the generating set of non-repeating braids, Thurston defines the right- 
greedy and the left-greedy normal forms, which are unique and can be effi- 
ciently computed: 

Lemma 13 ([13, Corollary 9.5.3]). Let a braid (3 E Bn be a word of 
length h with respect to the generating set of non-repeating braids. Then 
(3 can be put in either normal form in time O {h'^n\og{n)) . q.e.d. 

For computations in BV, we use the right-greedy normal form. 

Definition 14. The normal form of an element of BV is a triple 

(T*°p, w,T^°*) , where w is a word over the generating set of non-repeating 
braids in right-greedy normal form so that the diagram represented by the 
triple is reduced. (Of course, the way such a triple represents a diagram is 
by regarding the word as representing a braid.) 

Proposition 15. Any triple (T*°p, w,T'^°*) , where the trees have n leaves 
and w is of length h, can be put into normal form in time O {h'^n^ \og{n)) . 

Proof. Since a tree with n leaves has at most n carets. Algorithm 8 requires 
at most n unsuccessful checks for eyes and at most n successful checks. Each 
check can be carried out with complexity O (/i^nlog(n)) . Removing an eye 
that has been found is done by computing Tii{w) for the corresponding i. 
This is done for each generator in the expression of w\ and thus, it is linear 
in h. Thus, we can eliminate a single eye in O (/inlog(n)) time. 

Eliminating an eye decreases the number of strands of the braid and there- 
fore has to be done at most n times. Note that during this process, the word 
length of the braid part in the triple does not increase by Observation 12. 

Once the diagram is reduced, the braid part is put into right-greedy 
normal form in time O (/i^nlog(n)) . q.e.d. 



Proposition 16. Let (Tf^, wi, Tj^°*) and (Tf^, ^2,^2^°*) be two triples in 
normal form representing the elements gi and g2, respectively. Let ni and n2 
be their numbers of strands and let hi and /i2 be the word lengths of wi and 
W2, respectively. 

The normal form triple representing the product gig2 can be computed in 
time O [{hi + /i2) {ni + 712) log(ni + ^2)) . 

Proof. Using Algorithm 11, we have to control how the number of strands 
and the word length of the braid grow in the unreducing step. For either 
factor, the number of strands grows at most to ni + n2 since T^^ has at 
most n2 carets that need to be cloned in T^"^ and T^"^ has at most Ui carets 
that we might need to recreate in Tg"^. Hence, we have to double at most 
n2 strands in tfi, which can be done in time O {n2hi{ni + 722) log(ni + 722)) ; 
and we have do double at most ni strands in W2, which can be done in time 
O (^1/12(^1 + ^2) log(ni + 722)) . The total time for unreducing the diagrams 
is therefore O [{hi + /i2)(^i + ^2) log(ni + n2)) . 

By Observation 12, unreducing does not increase the word length 
of the braids. Thus, it follows from Proposition 15 that we can re- 
duce the triple that we obtain for the product gig2 to normal form 
in time (9 ((/ii + /12) (^1 + ^2) log(ni + n2)) , which dominates all other 
bounds. q.e.d. 

Remark 17. On can save some computational effort by not putting all 
braids into normal form. Dropping the normalization steps from the al- 
gorithms above yields the following complexity bounds: 

1. Any triple (T'°P,tf;,T^°*) , where the trees have n leaves and w has 
length h, can be reduced in time O {hn? log(n)) . 

2. Let (T^°^, wi,T^^°*) and (Tg"^, ^2,7"^°*) be two semi-reduced triples 
representing the elements gi and (72, respectively. For i G {1,2}, let n^ 
be the number of strands in Wi and let hi be the word length of Wj. A 
semi-reduced triple representing the product gig2 can be computed in 
time O {{hi + /i2) (^1 + ^2) log(ni -|- 712)) . This triple has trees with at 
most ni + ^2 leaves and a braid that is represented as a word of length 
hi + h2- 

From a practical point of view, it therefore pays off to put elements into 
normal form only when one needs to test for equality. 
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Remark 18. We note that the bit-length needed to encode a triple with n 
strands and the braid given as a word of length h is about hnlog{n). Thus, 
multiplication of elements in BV is actually quadratic in terms of total length 
of inputs, i.e., multiplication in BV is about as efficient as the elementary 
school algorithm for multiplying multi-digit integers. 

4 Linear Representations 

Lemma 19 ([6, Corollary 4.14]). The group BV is generated by three 
families of generators z/„, 7r„, and Hn (where n > 0) subject to the follow- 
ing relations: 

UqUrn = I'ml^q+l m < q 

^m^m = Vm+lT^mKn+l m > 0, £ = ±1 

TlqUrn = l^rnT^q 111 > q + I 

TTgUm = ^mT^q+l Ul < q 

^m = T^m+l^m T^rn m > 

TTgVTm = TT^TTg \m - q\ > 2 

TXqTXm = T^mT^q q > m + 2 

■Kn = nnl^nT^n+l n > 

Moreover, 

1. The family {z/„ | n > 0} generates a copy of F inside BV . 

2. Imposing the additional relations 

turns the above into a presentation for V . 

In particular, K is a quotient of BV. Thus, BV is not simple. We shall 
show, however, that it is not too far from being simple: the normal closure 
of [F, F] (regarded as a subgroup of BV) is all of BV: 

Lemma 20. Consider F as a subgroup of BV , generated by {z/„ \n>Q}. 
Then, BV does not have a proper normal subgroup containing [F, F] . 
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Proof. We first note that for i > 1, 

,-1 ,, ,, ,,-i,,-i 



and 



l^il^i+l = l^Ol^i+ll^Q l^i+l = N,«^i+i] 



Ui+iu^ ^ = z/i+iZ/oZ/i+\z/o ^ = h+i' ^o] 



are commutators. Telescoping products of sucli commutators sliows tliat 
Uiiy-^ G [F,F] fori, J > 1. 

Let A^ be the normal closure of [F, F] in BV. For alH > 1, 



-1 
i+2 



Hence, niHi^in- ^i^i^2^i+i ^ ^' ^^^ therefore TTjTTj+iTr^ ""^ G A^. Thus, ttj+i G 



iV for each i > 1. 

Now, we show that all generators of BV die in the quotient BV/N. We 
already know this for ttj with i > 2. Using the braid relations between tti 
and 7r2, we find that tti dies as well, and then, in view of the braid relation 
between ttq and tti, we find that ttq dies as well. 

The family of mixed braid relations (between tt, and 7fj_|_i) now implies 
that TTj = 1 in BV/N for i > I. Now the relations ttq = vfoz/o^r^ ^^<i 
TTo = Tff "'^t'(7"'^7fo imply tTq = 1 in BV/N. 

Thus, the squares of all tt, and all ttj die in BV/N, whence BV/N is a 
quotient of K. However, already too many generators are gone. So BV/N is 
a proper quotient of V, and therefore trivial. q.e.d. 

Observation 21. Any linear representation of a simple group is either faith- 
ful or trivial. q.e.d. 

Corollary 22. Neither the commutator subgroup [F, F] in Thompson's 
group F nor Thompson's group V do admit a non-trivial linear represen- 
tation (in any characteristic) . 

Proof. First note that F is not linear in any characteristic: it is finitely 
generated and not solvable. It it was linear, it would contain a non-abelian 
free subgroup by the Tits Alternative. But F does not contain non-abelian 
free subgroups. 

The commutator subgroup [F, F] is also not linear in any characteristic 
since it contains a copy of F as a subgroup. The claim for [F, F] nor follows 
since [F, F] is simple. 

The same argument applies to Thompson's group V, which is simple and 
also contains a copy of F. q.e.d. 
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The main theorem now follows immediately: 

Theorem 23. The group BV does not admit non-trivial linear representa- 
tions in any characteristic. 

Proof. The subgroup [F, F] lies within the kernel of any linear representation 
of BV . However, such a kernel is a normal subgroup and therefore exhausts 
BV by Lemma 20. 

q.e.d. 

5 On the Cryptographic Use of BV 

After the paper by Anshel, Anshel, and Goldfeld [1], group based cryptog- 
raphy got a huge boost and is rapidly developing since. An idea behind 
using groups in cryptography is that finding solutions of certain equations or 
systems of equations over a given group is computationally infeasible while 
generating equations with known or given solutions might be efficient since 
it only involves multiplication and computing normal forms. 

We recall the key-exchange protocol proposed by Anshel, Anshel, and 
Goldfeld. Below, m. A;, n, and / are integer parameters and G is a group, 
called the platform group of the protocol. A key-exchange has the goal that 
Alice and Bob collaboratively create a secret that is shared between them. 
In this particular protocol, the shared secret will be an element of G. It is 
selected as follows: 

1. Alice chooses randomly a public set {oi, . . . ,a„i} C G and a private 
key a = af^' ■ ■ ■ a^^* G (oi, . . . , a^) C G. 

2. Bob chooses randomly a public set {6i, . . . , 6„} C G and a private key 
h = hf^---h%e{h,...,hn)<^G. 

3. Alice sends to Bob the n-tuple {abia~^ , . . . , abna^^} ■ 

4. Bob sends to Ahce the m-tuple {6ai6~^, . . . , fea^fe^^} . 

5. The shared secret is the commutator [a, h] = a~^b^^ab, which both of 
them can compute. 
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The security of this key-exchange protocol depends on how hard it is 
to solve the Simultaneous Conjugacy Search Problem in G: given elements 
ui, . . . ,Ut and vi, . . . ,Vt in G, find an element c E G such that Ui = c~^ViC 
provided it is known that such a conjugating element exists. 

Certain criteria on the choice of the platform group for a cryptosystem 
were given by Shpilrain [25]. We note that BV satisfies those criteria. In 
Section 3, we have shown that computations in BV can be performed in 
polynomial time and that the word problem can also be solved in polyno- 
mial time. The group BV has a presentation with many short relations [7]. 
According to [25], this might make it harder to mount length based attacks 
on BV (more on this below). Finally, both braid groups and Thompson's 
groups V and F are widely known, which makes the braided version BV 
"marketable" . 

Both, braid groups and Thompson's group F were investigated in the 
context of cryptography, see [10], [20], [26] and references therein. In the 
remainder of this section, we shall compare BV to F and the braid groups 
from a cryptographic point of view. 

The simultaneous conjugacy problem in F was solved by Kassabov and 
Matucci [18] using the interpretation of elements of F as piecewise linear 
functions. Such interpretation is not available for BV. 

The conjugacy search problem seems to be harder for BV than for braid 
groups. Efficient algorithms for solving the conjugacy problem in braid 
groups are based on associating a finite set (called summit set [15], super sum- 
mit set, and ultra summit set [12], [16]) of conjugates to any braid P G Bn- 
One should note that finiteness of the summit sets relies on the number of 
strands n being fixed. Braids extracted from elements in BV can have an 
arbitrary number of strands, which makes it impossible to directly transfer 
to BV strategies successful for braid groups. 

There are also known attacks on braid-group based crypto-systems using 
linear representations. Braid groups are known to be linear ([4], [19]), but 
more importantly, the Burau and colored Burau representations have small 
kernels and can be exploited. According to Theorem 23, such attacks on BV 
will not work. 

A very general approach, now known as length based attack, was de- 
scribed in [17] and further developed in [14]. It relies on the existence of a 
good length function on the platform group, and can be used to solve ar- 
bitrary systems of equations over the group. The main idea is to use the 
length function to turn the system of equations into a problem in combina- 
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torial optimization. We refer to [14], [24], and [22] for descriptions of length 
based attacks for the conjugacy search problem in braid groups and Thomp- 
son's group F . Length based attacks are most successful if randomly chosen 
subgroups of the platform group are generically free (see [23] for a detailed 
analysis). This is the case for braid groups [21]. Both groups, V and BV are 
known to have free subgroups. It is not known whether random subgroups 
of V and BV are generically free. Thus, answers to the following questions 
will have an impact on the usability of BV for cryptography: 

Question 24. What are generic subgroups ofV and BV? 

Question 25. Does BV have a quotient with generically free subgroups? 
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